All processing happens locally in your browser. No data is sent to any server.
Secret Key
Settings
Provisioning URI
About TOTP
RFC 6238
- HMAC-based counter from Unix time
- Default: 30s period, 6 digits, SHA-1
- Dynamic truncation of HMAC output
- Compatible with Google Authenticator
Security Notes
- Keep secrets confidential
- Use SHA-256/512 when supported
- Consider time skew (±1 window)
- Secrets should be at least 160 bits